At a minimum, a Data Use Agreement (DUA) must be in place whenever there are restrictions for: Information Privacy, National Security, Protecting Commercial, Proprietary, or Confidential Interests in Data.
In some cases there are additional guidelines or requirements which must be followed before a DUA can be put into place. Review the following guidance on these topics for next steps and more information.
Topics Covered:
HIPAA protects the privacy of individually identifiable information, sets standards for the security of electronic PHI, and includes breach notification rules.
Researchers that will obtain and use protected health information (PHI) must obtain: (a) authorization from the participant; or (b) a waiver of authorization granted by an IRB, unless the PHI is:
Many UW researchers are also health care providers at a UW covered entity. These researchers follow all policies, procedures, and requirements about the research use of PHI, such as prior IRB approval and a waiver of authorization, even for one’s own patients, and following all UW Medicine Honest Broker requirements.
Please see GUIDANCE HIPAA from the UW’s Human Subjects Division (HSD) for additional information.
UW Medicine maintains policies regarding use of UW Medicine clinical data in research.
Contact ritdatahelp@uw.edu with questions on the Honest Broker processor the Release of UWM Clinical Data for Research Purposes.
Information, including PHI, under a Certificate of Confidentiality, receives the following additional protections, under a Certificate of Confidentiality and sharing is not allowed:
Review: more guidance on Certificate of Confidentiality (CoC) from the UW’s Human Subjects Division.
The EU GDPR limits when and how organizations worldwide can collect, store, use, or otherwise process personal data of persons residing in the European Economic Area (EEA). Please review more information from UW IT on European Union General Data Protection Regulation including how they may impact access and use. If you carry out a UW activity that involves sharing personal data subject to EU GDPR, you will need to consider a Data Processing Agreement.
If you will be handling incoming personal data subject to the EU GDPR, as a processor or controller, the party providing such data may require certain contractual clauses. If a sponsored program, these terms would be placed in the sponsored research agreement or related DUA by the providing party
When routing an eGC1 to OSP and you are aware personal data subject to EU GDPR will be involved, please select the checkbox next to “Other Sensitive Information” under D-1. Ensure you are completing a privacy assessment with the UW Privacy Office if the data handling is considered high-risk data processing.
Researchers who obtain records from schools are responsible for contacting the schools to make sure that the research will comply with FERPA requirements.
Please see more from the Academic Data Management Office.
UW-Led Youth-Involved Research includes any study that involves:
Please see more information on Youth Research Requirements or contact the Youth Protection Coordinator.
The following should be discussed with the Export Controls Office (eco-help@uw.edu) to ensure export compliance:
There may be restrictions or prohibitions on the sharing of data to foreign parties. Please see Foreign Interests and Sponsored Programs for more information.
There are restrictions and prohibitions for sharing classified federal contract information (FCI) or Controlled Unclassified Information (CUI). Typically assessed at the proposal stage, please review proposal stage guidance on Classified or Restricted Research.
In general all research data are considered open access and available in the public domain. See UW Policy on Open Access. However there are commercial and proprietary interests considered in sponsored research contexts.
Data from sponsors or third parties coming into the UW for use on a sponsored project often requires protection for proprietary purposes. Sponsors typically provide a license to us within a sponsored research agreement or will provide a data use agreement.
Review more information on Data Use Agreements and Agreement Types.
Research data are not typically considered intellectual property. However, all UW research data are owned by the UW, except as otherwise provided by an agreement, law, regulations, or policy, and in some cases protected by copyright. See GIM 37 Research Data.
Generally research data developed under a UW sponsored project are required to be open use or available in the public domain. See UW Libraries Guide on Open Access.
Certain sponsors include public access, open use, or open access requirements as a condition of award.
Some examples include:
Some sponsors may require terms in agreements for open source licensing of software. When this happens, your OSP reviewer will request the Principal Investigator to acknowledge and sign the UW IP Disposition Memo (also referred to as the GIM 40 Memo).
UW’s CoMotion also provides detailed guidance on Open Source Licensing at the UW.
Research data is not usually eligible to be protected as standalone commercial innovations. However, data can carry key information necessary to securing intellectual property protection. Additionally, it is important to understand how the parties to an agreement are defining “data”. If the agreement broadly defines data to include innovations, UW Intellectual Property policies apply. See for details: